Apple ID Hacked

My Apple ID got hacked today.
I directly called apple to block everything, so now I have changed the email address and password and also the security questions.

But I don't understand how they could possibly do this?

They changed the email address and password into a yahoo.com email address. I got a mail with the yahoo.com address in it and when I told the apple support guy the address he got my security questions witch ware not changed.

Now I am a little bit scared that they hacked my iMac to get the security questions?
I don't know how else they could hack in my account. I never gave my password to anyone, not even to my own family.

Does anyone know more about this???
Or is the same thing maybe happend to anyone here?

Is your original email Yahoo? Yahoo is notorious for having a bunch of issues with hacks into email, quite a few of my friends with yahoo had their email hacked. I wonder if they could somehow have got in that way?
IF they knew it was a yahoo email they could then have done a password reset against the iCloud account maybe?

Nope. Definitely not.
Some time ago I did get a message which said click here because otherwise your Apple ID will expire.
I of course just deleted the mail.
I am not that old or stupid enough to fall for the phishing mails.

Nope. Definitely not.
Some time ago I did get a message which said click here because otherwise your Apple ID will expire.
I of course just deleted the mail.I am not that old or stupid enough to fall for the phishing mails.

Click to expand...

Watch it now...you're equating old with gullible or stupid.

We old, gullible, not-so-bright folks are very sensitive about that stuff!

Did you have a simple password? Because even if attempts are limited on a single account, they might do what I'll call a "reverse brute force" eg rather than attack one account a million times, you attack a million accounts one time using the same password.
Picking a common one, say 'password' or '123456' or perhaps both.

All you'd need is a list of valid emails to start with.
Lets say you have 1 million email addresses
if only 1% of those are associated with iTunes
and only 1% of those have 'password' or '123456' as the password,
that would get you 100 iTunes accounts !

I read on a Dutch forum that in Itunes you can do unlimited attempts to log in?
If this is true, than they could have done a brute force attack with some kind of program to unveil my password???

Click to expand...

IMO, you should consider enabling two-factor authentication on any of your important accounts.

Instead of authenticating you just based only on "something you know" (like a password, or the answers to security questions), it also factors in "something you have", like sending a verification code to a device you own, and then having you type that code into the browser, before you can continue. IMO, Apple does a good job of explaining how they implement it in the link below.

@Tumbleweed666
My password was not that simple, but it was also not a very complex one, more like something in between. So i doubt they use your theory, but who knows...
I am starting to think it is someone who knows me and has some kind off grudge to me.

@aristobrat
That is a nice security, unfortunately it is not yet available in my country.
There are really just a few countries where it is available at the moment, but when it comes to the Netherlands I will definitely use it.
Thank you for pointing it out.

Quote

In which countries is two-step verification available?

Initially, two-step verification is being offered in the U.S., UK, Australia, Ireland, and New Zealand. Additional countries will be added over time. When your country is added, two-step verification will automatically appear in the Password and Security section of Manage My Apple ID when you sign in to My Apple ID.

@Tumbleweed666
...
I am starting to think it is someone who knows me and has some kind off grudge to me.
...

Click to expand...

It depends on how you answered your security questions. It is very easy, in some cases, to use information you have openly provided on - for example - FaceBook to answer the 'secret' security questions for a different application. A number of years ago when Palin was running for VP of the US, hackers used publicly available biographical information to break into her personal email account. So it is entirely possible that someone who knows you, and can answer the security questions, may have hacked your Apple ID. I would start looking at younger brothers to begin with ....

IMO, you should consider enabling two-factor authentication on any of your important accounts.

Instead of authenticating you just based only on "something you know" (like a password, or the answers to security questions), it also factors in "something you have", like sending a verification code to a device you own, and then having you type that code into the browser, before you can continue. IMO, Apple does a good job of explaining how they implement it in the link below.

Thanks for the heads up I've just started that (you cant do it immediately, there is a 3 day wait after you start the process). Ive got this on my paypal account already, bit of a pain but worth it when you consider what youd feel like if your account got hacked.

It depends on how you answered your security questions. It is very easy, in some cases, to use information you have openly provided on - for example - FaceBook to answer the 'secret' security questions for a different application. A number of years ago when Palin was running for VP of the US, hackers used publicly available biographical information to break into her personal email account. So it is entirely possible that someone who knows you, and can answer the security questions, may have hacked your Apple ID. I would start looking at younger brothers to begin with ....

Click to expand...

This is a good point. My answers to those type of questions are treated as another password.eg where were you born? "asirfwnv" , first car? "dis466bddg" etc.

This is a good point. My answers to those type of questions are treated as another password.eg where were you born? "asirfwnv" , first car? "dis466bddg" etc.

Click to expand...

I've been doing this for a long time. The answers need to be long enough that they can't be brute-forced.

Sometimes they also need to be readable, because sometimes they have to be given to a person on the other end, who triggers a password reset.

Another important tactic that hasn't been mentioned: never reuse a password. That is, every password on any meaningful account is unique to that account. No reuse. Ever. Unless you truly don't care about who uses the account.

MacRumors attracts a broad audience
of both consumers and professionals interested in
the latest technologies and products. We also boast an active community focused on
purchasing decisions and technical aspects of the iPhone, iPod, iPad, and Mac platforms.